In a new study, researchers have suggested hackers can not only infiltrate printers and snag personal information for illicit uses such as identity theft, but can also command the printer to start a fire.
The research, conducted by researchers at Columbia University and funded by government and industry grants, demonstrate a scenario that includes dire risks for millions of people. In their results, researchers say they have found a new class of security flaws that can cause significant damage to businesses, consumers and government agencies.
an extensive report on this study which details these ominous findings. The proverbial fingers are pointing to firmware, the software used to provide printer updates. Researchers indicated they reverse engineered the software controlling HP LaserJet printers through "Remote Firmware Update."
This is a normal process when print jobs are sent to the printer, however researchers have concluded the "printers don’t discriminate the source of the update software." This indicates that no controls are in place to provide verifiable means of determining authenticity (i.e. digital signature), and that a "booby-trapped" version can be installed on the printer.
"Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage," MSNBC said in yesterday's report.
Adding, "They say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there's no way to tell if hackers have already exploited it."
When people think of hacking, they generally consider problematic issues associated with traditional computers. Risks often linked to hacking include identity theft and financial losses, and most would not argue this is a serious concern nowadays. However, today's devices, such as printers, are no longer standalone objects to run like older models did with a simple connection. Nowadays, peripheral devices are practically computers themselves, and a piece of an interconnected network, which requires computer code. This means they can be exploited through hacking of programming code.
The Columbia study suggests, in addition to other types of exploits, physical damage from hacking is a risk due to the flaw in the printers.
According to the MSNBC report, two of the researchers were able to demonstrate
"how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke."
While a manufacturer-installed thermal switch did shut the device down, the researchers theorize printers could be used as fire starters with insertion of computer code.
The researchers told Hewlett-Packard about their findings last week. Reportedly HP is still reviewing details of the research. HP released a statement that argues some of these findings, citing the fact the research was conducted on older printer models. A company representative said newer printers, since 2009, do require digitally signed firmware upgrades.
In a press release
"Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false."
The statement went on to outline how the "thermal breaker" would prevent overheating or a fire to start.
HP also said the company has identified some "potential security vulnerability with some HP LaserJet printers" and notes this is for those placed on a public Internet with no firewall being used.
"In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade," HP also said.
MSNBC reported, Columbia professor Salvatore Stolfo, who directed the research, said,
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are."
Stolfo added, “The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.”
As electronic devices become more Internet centric, the risks have steadily been increasing. Other research has already outlined how copy machines carry a substantial risk
when it comes to identity theft. In this respect, it stands to reason other devices carry hacking risks as well.
And, unfortunately, it might be possible the only correction may be to toss out the vulnerable devices and invest in newer, more secure, models.
“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Ang Cui, a researcher on the project, said. “This is nothing like fixing a virus on your PC.”
“It's like selling a car without selling the keys to lock it,” Stolfo said. “It’s totally insecure.”
This brings the question of whether or not other brand printers, and other types of devices, may be at risk.